Embedded Files
Oftentimes it is necessary to perform network scans and reconnaisance. Although there are numerous tools for this, a nice graphical output is not a feature common in many of the free options. To create a nice nmap scan, luckily we have tools like nmap-boostrap-xsl available here: honze-net/nmap-bootstrap-xsl: A Nmap XSL implementation with Bootstrap.
Creating a nice gui output with this is simple!
change directory to your desktop
Download the package: wget https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl
Convert your xml file: xsltproc -o nmap_report.html nmap-bootstrap.xsl nmap_scan.xml
Syntax: xsltproc -o <output_file> <stylesheet> <input_xml>
This will give you an excellent html output!
Headless scanning is sometimes necessary if you will not maintain access to a machine. These situations arise when you want to run a scan on a remote machine like netlab, which will go to sleep and delete your work after a timeout. In order to avoid having to return to the machine to obtain the results, you can just post them to your server!
The command syntax is simple! See:
# Send the command and output for DNS lookup with dig
echo "Running: dig @141.165.6.6 any" | tee /tmp/dig_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
dig @141.165.6.6 any | tee /tmp/dig_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
Breakdown:
dig @141.165.6.6 any
dig = Domain Information Groper (DNS lookup tool).
@141.165.6.6 → Queries the DNS server at 141.165.6.6.
any → Requests all available DNS records (A, AAAA, MX, TXT, CNAME, etc.).
| tee /tmp/dig_output.txt
Saves the dig output to /tmp/dig_output.txt while still displaying it in the terminal.
| curl -X POST -d @- https://your_server.com/file_drop.html
Sends the DNS lookup results to the server (your_server.com/file_drop.html).
-d @- → Takes stdin input (the dig results) and sends it as the POST request body.
Commands like this will post everything to your server without intervention, assuming the following php file is present: (entire command list will be at the bottom of the page)
<?php
// Get the raw POST data
$raw_data = file_get_contents("php://input");
// save it to a file
file_put_contents("received_data.txt", $raw_data, FILE_APPEND);
// No response to be sent to the client
?>
// This can be improved by specifying a file name for the output, but it is not necessary if you want them all appended to one log.
Drag and drop file transfer functionality is really convenient to transfer your work home really quickly! In this case, we need html and php files.
HTML:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Drag & Drop File Upload</title>
<style>
body { font-family: Arial, sans-serif; text-align: center; }
#drop-zone {
width: 300px;
height: 150px;
border: 2px dashed #ccc;
line-height: 150px;
margin: 50px auto;
font-size: 18px;
color: #888;
}
#drop-zone.dragover { border-color: #333; color: #333; }
</style>
</head>
<body>
<h2>Drag & Drop File Upload</h2>
<div id="drop-zone">Drop files here</div>
<input type="file" id="file-input" multiple>
<script>
const dropZone = document.getElementById('drop-zone');
const fileInput = document.getElementById('file-input');
dropZone.addEventListener('dragover', (e) => {
e.preventDefault();
dropZone.classList.add('dragover');
});
dropZone.addEventListener('dragleave', () => dropZone.classList.remove('dragover'));
dropZone.addEventListener('drop', (e) => {
e.preventDefault();
dropZone.classList.remove('dragover');
uploadFiles(e.dataTransfer.files);
});
fileInput.addEventListener('change', () => uploadFiles(fileInput.files));
function uploadFiles(files) {
const formData = new FormData();
for (let file of files) {
formData.append('files[]', file);
}
fetch('upload.php', { method: 'POST', body: formData })
.then(response => response.text())
.then(alert)
.catch(console.error);
}
</script>
</body>
</html>
php:
<?php
$uploadDir = __DIR__ . '/uploads/';
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0777, true);
}
if (!empty($_FILES['files'])) {
foreach ($_FILES['files']['tmp_name'] as $key => $tmp_name) {
$filename = basename($_FILES['files']['name'][$key]);
move_uploaded_file($tmp_name, $uploadDir . $filename);
}
echo "Files uploaded successfully!";
} else {
echo "No files uploaded.";
}
?>
As promised, here is a complete list of non-quality checked commands to perform scans and post them to your server:
# Send the command and output for DNS lookup with dig
echo "Running: dig @141.165.6.6 any" | tee /tmp/dig_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
dig @141.165.6.6 any | tee /tmp/dig_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for Nmap scan excluding port 21
echo "Running: nmap -T4 -A -v --exclude-ports 21 10.25.1.16/24" | tee /tmp/nmap_exclude_ports_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
nmap -T4 -A -v --exclude-ports 21 10.25.1.16/24 | tee /tmp/nmap_exclude_ports_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for fping scan
echo "Running: fping -a 10.25.1.16/24 2>/dev/null" | tee /tmp/fping_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
fping -a 10.25.1.16/24 2>/dev/null | tee /tmp/fping_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for traceroute
echo "Running: traceroute 10.25.1.16" | tee /tmp/traceroute_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
traceroute 10.25.1.16 | tee /tmp/traceroute_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for nc (Netcat)
echo "Running: nc -zv 10.25.1.0/24 1-1000" | tee /tmp/netcat_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
nc -zv 10.25.1.0/24 1-1000 | tee /tmp/netcat_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for masscan
echo "Running: masscan 10.25.1.0/24 -p1-1000 --rate=1000" | tee /tmp/masscan_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
masscan 10.25.1.0/24 -p1-1000 --rate=1000 | tee /tmp/masscan_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for zmap scan
echo "Running: zmap -p80 10.25.1.0/24" | tee /tmp/zmap_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
zmap -p80 10.25.1.0/24 -o - | tee /tmp/zmap_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for nping
echo "Running: nping --icmp 10.25.1.0/24" | tee /tmp/nping_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
nping --icmp 10.25.1.0/24 | tee /tmp/nping_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for nikto scan
echo "Running: nikto -h 10.25.1.0/24" | tee /tmp/nikto_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
nikto -h 10.25.1.0/24 | tee /tmp/nikto_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Final Nmap command with specific options
echo "Running: nmap -T5 -A -v --exclude-ports 21 --script 'not ftp-bounce' --max-retries 5 --host-timeout 15m --scan-delay 2s --min-rate 500 --max-rate 2000 --open 10.25.1.16/24" | tee /tmp/nmap_final_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
nmap -T5 -A -v 10.25.1.16/24 | tee /tmp/nmap_final_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Final Nmap command with vulnerability scanning
echo "Running: nmap -T5 -A -v --exclude-ports 21 --max-retries 5 --host-timeout 15m --scan-delay 2s --min-rate 500 --max-rate 2000 --open --script vuln 10.25.1.16/24" | tee /tmp/nmap_final_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
nmap -T5 -A -v --script vuln 10.25.1.16/24 | tee /tmp/nmap_final_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for traceroute loop
echo "Running: traceroute loop for ip in $(seq 1 254); do traceroute 10.25.1.$ip; done" | tee /tmp/traceroute_loop_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
for ip in $(seq 1 254); do traceroute 10.25.1.$ip; done | tee /tmp/traceroute_loop_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for DNS lookup loop
echo "Running: for ip in $(seq 1 254); do dig @10.25.1.1 10.25.1.$ip; done" | tee /tmp/dig_lookup_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
for ip in $(seq 1 254); do dig @10.25.1.1 10.25.1.$ip; done | tee /tmp/dig_lookup_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for openvas scan
echo "Running: omp -u admin -w adminpassword -h 127.0.0.1 --scan-targets=10.25.1.0/24" | tee /tmp/openvas_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
omp -u admin -w adminpassword -h 127.0.0.1 --scan-targets=10.25.1.0/24 | tee /tmp/openvas_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for Burp Suite
echo "Running: sudo burpsuite" | tee /tmp/burpsuite_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
sudo burpsuite | tee /tmp/burpsuite_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
# Send the command and output for lynis system audit
echo "Running: lynis audit system --hostname 10.25.1.0/24" | tee /tmp/lynis_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
lynis audit system --hostname 10.25.1.0/24 | tee /tmp/lynis_output.txt | curl -X POST -d @- https://your_server.com/file_drop.html
Disclaimer: None of these commands have been verified as of yet. I ran them headless and dumped them to my server, and I have not yet parsed the output.
Greenbone Scan Report Export Steps
Page updated
Report abuse